Community

Vulnerability Advisor – Secure your Dev + Ops across containers

Share this post:

We introduced the Vulnerability Advisor (VA) service for IBM® Bluemix Containers and for container images in prior posts. VA provides vulnerability and best practice reports about Docker images hosted in Bluemix. These reports provide a convenient way of quickly knowing if it’s safe to deploy an image in Bluemix. For example, a user would get these tags for each one of his images, indicating if it’s safe to deploy it as a container or not:

deploy

To put things in context, the following is a report for an Ubuntu container with 16 vulnerable packages and 3 security related misconfigurations. The rules defining whether a package is vulnerable are derived from distribution security bulletins, such as Ubuntu Security Notices, CVE information from the National Vulnerability Database and by leveraging information from IBM X-Force Exchange.

dirty-image

This is a very useful feature, but it does not capture the fact that a container (even after starting safe) might become malicious or dangerous. The first reason is that the user could log into the container and change the system on the fly. For example, the user does a docker exec and thinks it would be a good idea to install sshd-server. The second reason is that Vulnerability Advisor updates some rule (e.g. a package vulnerability was discovered after the container started for the first time). Containers age and become more vulnerable than their newly born image, as security experts discover new malware and vulnerabilities for different distributions.

The missing feature is the ability to live-scan containers before they start (as images) and continuously while they are running, using the same rules as the ones for images. This needed feature helps monitoring the latest configuration of running containers and checks for divergence. It usually means the system has non-tracked changes. Remember: a version control system should track all your changes to the system, and a re-deploy should be the only way to make these changes effective. In any case, it would be very useful to detect when these happen. If the system allows them, it’s still very likely that once in a while a developer will log into their containers for a little harmless change. And then, once in a while, that harmless change will be disastrous.

Vulnerability Advisor Live-scanner

We now introduce the Live-scanner service for running containers in Bluemix (notice the part about running containers).

I know what you’re saying: ‘Where can I get these fine new items?’ Well, that’s the gag. Chances are, you’ve bought ’em already! — The Joker (Batman 1989)

If you want to use this new feature, all you have to do is start a container as you did before. In fact, existing containers already have a Vulnerability report. You should get the same Vulnerability report that you would get for images. VA will generate this report within a couple of minutes of starting a new container. And it will generate it again once every day. You do not have to change your container or image in any way to get these reports. More specifically, you do not have to install an agent in the container, a side-car container, make your image use some special base image. It’s all out of the box. Here is an example of a container without vulnerabilities:

clean-container

You can then click on the panel and the same detailed report as the one for images will show the containers Vulnerability report:

clean-container

Try Vulnerability Advisor, it’s free!

VA for running containers is now available to you in production in IBM Bluemix Containers Service. Don’t forget to play with this new feature. It should be easy. Again, all you have to do is take a look at your existing containers in the console.

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Compute Services Stories

New London Regional Service for IBM Cloud Object Storage

IBM is pleased to announce the immediate availability of our new low cost, low latency Regional Service for IBM Cloud Object Storage, for the UK-London Region, now open for all customers to use worldwide. With this new regional resiliency service, customers now have the choice to store and access their data within the UK London region for in-country data sovereignty, business continuity and high availability with low cost and low latency.

Continue reading

Welcome to IBM Cloud for VMware Solutions 2.0

IBM Cloud for VMware Solutions 2.0: Enhanced Management Control and Performance for your Hybrid Cloud Environment Since the strategic partnership between VMware and IBM Cloud launched almost 2 years ago, enterprise clients around the world have realized the myriad benefits of integrating their on-premises data center environments with IBM Cloud. Businesses seeking security and control […]

Continue reading

Db2 on Cloud offsite disaster recovery node is now in closed beta

Today, Db2 on Cloud already has excellent availability characteristics, with a 99.99% SLA and the ability to scale your database without app downtime, unlike other competitors in the market.

Continue reading